BlackLotus: A Stealthy UEFI Bootkit Bypassing Secure Boot

March 1, 2023

Researchers from ESET have discovered a new stealthy Unified Extensible Firmware Interface (UEFI) bootkit, named BlackLotus, that is able to bypass Secure Boot on Windows 11. Secure Boot is a security feature designed to detect tampering with boot loaders, key operating system files, and unauthorized option ROMs by validating their digital signatures. BlackLotus is the first UEFI bootkit that is able to bypass the security feature on fully up-to-date Windows 11 systems.

The powerful malware is offered for sale at $5,000, with $200 payments per new updates. Black Lotus is written in assembly and C and is only 80kb in size, the malicious code can be configured to avoid infecting systems in countries in the CIS region. The malware supports anti-virtualization, anti-debugging, and code obfuscation. It is able to disable security solutions, including Hypervisor-protected Code Integrity (HVCI), BitLocker, and Windows Defender. Black Lotus is able to bypass security defenses like UAC and Secure Boot, it is able to load unsigned drivers used to perform a broad range of malicious activities. It can achieve persistence at the UEFI level with Ring 0 agent protection and supports a full set of backdoor capabilities.

Scott Scheferman from firmware security firm Eclypsium commented, “Considering this tradecraft used to be relegated to APTs like the Russian GRU and APT 41 (China nexus), and considering prior criminal discoveries we’ve made (e.g. Trickbot‘s #Trickboot module), this represents a bit of a ‘leap’ forward, in terms of ease of use, scalability, accessibility and most importantly, the potential for much more impact in the forms of persistence, evasion and/or destruction.”

The bootkit exploits the vulnerability CVE-2022-21894 to bypass UEFI Secure Boot and maintain persistence. This is the first publicly known bootkit that abuses this vulnerability in the wild. Upon successful installation of the bootkit, the malicious code deploys a kernel driver and an HTTP downloader, used for C2 communication, which can load additional user-mode or kernel-mode payloads.

Unfortunately, due to the complexity of the UEFI ecosystem and related supply-chain problems, many of these vulnerabilities have left many systems vulnerable even a long time after the vulnerabilities have been fixed – or at least after we were told they were fixed. It was just a matter of time before someone would take advantage of these failures and create a UEFI bootkit capable of operating on systems with UEFI Secure Boot enabled. As Eclypsium suggested last year in their RSA presentation, all of this makes the move to the ESP more feasible for attackers and a possible way forward for UEFI threats – the existence of BlackLotus confirms this.

Latest News

• Cisco Patches Critical RCE Vulnerability in IP Phones
• Critical Vulnerabilities in PTC Products Patched
• Security Defects in TPM 2.0 Reference Library Expose Devices to Code Execution Attacks
• CISA Adds CVE-2022-36537 to Known Exploited Vulnerabilities Catalog
• Hackers Exploit Critical Vulnerabilities in Houzez Theme and Plugin